[Samba] Domain Admins

Golden Butler golden at cnt.org
Thu May 25 01:51:03 GMT 2006

  Is it necessary to group map groups you're using in samba?  For example:
  ntgroup "marketing"  -->  unix group "marketing"
  ntgroup "sales"         -->  unix group "sales"
  What are pros and cons to doing this, or is it optional?
  -- Delamatrix  _____  

From: Neil Muller [mailto:neil at neologix.net.au]
To: Golden Butler [mailto:golden at cnt.org]
Cc: Samba Mailing List [mailto:samba at lists.samba.org]
Sent: Wed, 24 May 2006 19:22:48 -0500
Subject: Re: [Samba] Domain Admins

Golden Butler wrote:
> Hi,
> I'm trying to set up one of my users to be a domain admin.  I have 
> unix/ldap group called "domainadm" with "user1" a member of the group.  
> When I run "net groupmap list" I get the following:
> Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) -> domainadm
> But when I go to log in to the domain with "user1" on a winxp machine, 
> the user isn't able to make administrative changes to the computer.
> Is there something I'm doing wrong?
> - Delamatrix
> Samba 3.0.20b
> Openldap

I think you may need to check the rid you have used for the Domain 
Admins group. According to 
this is one of the well known rids which must be maintained for correct 
functioning of the NT groups systems. You have a rid of 7033 and I think 
it should be 512.

email: neil at neologix.net


More information about the samba mailing list